REMARKS 



This Preliminary Amendment cancels without prejudice original claims 1 to 10 in the 
underlying PCT Application No. PCT/DE03/01998. This Preliminary Amendment adds new 
claims 1 1 to 20. The new claims are believed to conform to the U.S. Patent and Trademark 
Office rules and do not add new matter to the application. 

In accordance with 37 C.F.R. § 1.121(b)(3), the Substitute Specification (including the 
Abstract, but without the claims) contains no new matter. The amendments reflected in the 
Substitute Specification (including Abstract) are to conform the Specification and Abstract to 
U.S. Patent and Trademark Office rules or to correct informalities. As required by 37 C.F.R. 
§1.121 (b)(3)(iii) and § 1 . 1 25(b)(2), a Marked Up Version Of The Substitute Specification 
comparing the Specification of record and the Substitute Specification also accompanies this 
Preliminary Amendment. In the Marked Up Version, underlining indicates added text and 
strikeouts indicate deleted text. Approval and entry of the Substitute Specification (including 
Abstract) is respectfially requested. 

The underlying PCT Application No. PCT/DE03/01998 includes an International 
Search Report, dated October 17, 2003. The Search Report includes a list of documents that 
were uncovered in the underlying PCT Application. An English translation of the Search 
Report accompanies this Preliminary Amendment. The underlying PCT Application No. 
PCT/DE03/01998 also includes an International Preliminary Examination Report, dated 
September 17, 2004. An English translation of the International Preliminary Examination 
Report (including a translation of the annexes to the Report, i.e., page 1 of the Specification 
and claims 1 to 10) accompanies this Preliminary Amendment. 

Applicant asserts that the subject matter of the present application is new, non- 
obvious, and usefiil. Prompt consideration and allowance of the application are requested. 
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CONTENT AND SECURITY PROXY IN A MOBILE COMMUNICATIONS SYSTEM 
FIELD OF THE INVENTION 

The present invention relates to a method and a device for 
making available security functions during the transmission of 
data from or to a subscriber terminal unit of a mobile 
communications network . 

BACKGROUND INFORMATION 

Current and new data services offer subscribers of mobile 
communications networks direct access to the Internet internet 
and other public data networks. Therefore, the mobile 
telephone used for mobile application, and ancillary equipment 
driven by it, such as a notebook or a personal digital 
assistant, are at the mercy of the most varied attacks by 
third parties, similar to what happens in a fixed network- 
based Internet inter net access. 

SUMMARY OF THE INVENTION 

It io the obiect Embodiments of the present invention te 
otQtc concern a method and a device for making available 
security functions in the transmission of data from and to a 
subscriber terminal unit of a mobile communications network, 
so as to effectively protect the subscriber terminal unit and 
units connected to it or combined with it. 
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Thio object io attained by the fcQturco of the independent 
claimo , — The crux Embodiments of the present invention 
jr&T -concern, in a cellular mobile telephony network^ to offer a 
security service that is able to be personalized, individually 
per cellular mobile telephony connection and subscriber. 

¥h eln embodiments of the present invention, the subscriber may 
adjusthie security settings interactively or dynamically. 

The network operator may specify a series of meaningful 
standard settings for the filter functions, such as virus 
protection, protection from advertising mail, etc. 

In this context, the protective function is offered by a 
network-specific device in the form of a security and 
filtering device. In addition, the general protective function 
may be coupled with a memory function, i.e.^ parts of the data 
traffic are temporarily stored in the device, and may be 
retrieved by the subscriber. Consequently, the security and 
filtering device may additionally take over the function of a 
so-called proxy. Proxy ,.Proxv'' meano ao much ao 
^reprcoentative oervice'' . m eans representative service. Proxies 
accept requests from a client, for instance, a terminal unit, 
and pass them on, possibly modified, to the original 
destination, such as an Internet internet supplier. Proxies are 
able locally to file data that are passed through and to 
deliver them upon the next access. 

With that, at the same time, one achicveo can achieve an 
increased performance, since certain contents may be buffered. 

According to the present invention, the following protective 
functions may be offered by the system embodiments described : 

-Filtering of the data traffic on an IP/TCP basis in the form 
of a so-called firewall function; 



2 



function. — Furthermore, — filtering/ rcfuoing - Filtering/refusing 
data packets of a certain origin (IP address) or data packets 
from and to certain services (TCP porto) . ports) ; and 

-An analysis of the data content for contents that are 
malicious or critical to security. 

The entire content of a data connection is analyzed and 
searched according to certain patterns. Signatures of viruses, 
etc, are tracked down and rendered harmless before they reach 
the terminal unit of the subscriber. 

An analysis of the data content for undesired subject matter, 
such as in the form of spam, advertising or offensive 
material. For this, the entire content of the connection is 
analyzed and content stated by the subscriber as being 
undesired is filtered out, for instance, to protect children 
and juveniles. 

The network operator himoclf is able to use the mechanisms of 
the system in order purposefully to cut out, for certain 
subscribers, certain data traffic, such as services liable to 
costs, if the subscriber has not subscribed to this service. 

The filtering function for the data content may be enhanced 
meaningfully and technically, using the same mechanisms 
additionally using the following functions. 

For example, a limiting of the data transfer volume jTS -can be 
relatively easy to implement. To do this, the entire traffic, 
under certain circumstances separated into incoming and 
outgoing traffic, is summed up, and additional traffic is 
stopped if the limit specified by the user or operator is 
exceeded. 

In addition, budget compliance may be checked, using one 
component to calculate the compensation. The subscriber or the 
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operator may specify a certain upper limit for communications 
cost. If the established budget is exceeded, the subscriber is 
notified and the data traffic is stopped. This makes possible 
an effective cost control and cost transparency. 

Additional functions may be integrated into the system in a 
meaningful wev- ^wav as indicated in the following. 

If certain events occur, i.e.^ if attacks are detected, spam 
mails are filtered or similar events are recognized by the 
system, and notification is made of the subscriber or network 
operator, in order to enable a transparent control of the data 
filtered out. 

The subscriber may also decide administratively whether h4^5 -the 
subscriber' s entire traffic should be conducted over the 
system or only selectively, i.e.^ at certain times, according 
to specific incidents or upon suspicion of misuse. 

According to one rcfincmcnt ln embodiments of the present 
invention, a distributed implementation of the filter 
functions may be provided, i.e.^ the security and filter 
device is not provided centrally in one network node of the 
mobile communications system, but rather in a distributed 
manner, or individually in a plurality of network nodes. The 
load on a single node is reduced thereby. 

This device of the system may 

a) be conditioned spatially or upon network technology, 
i.e.x, distribution to several networks or network nodes, 

b) be conditioned functionally, for instance, special filter 
components for certain data contents, and, for example, 
email filters, virus filters, etc^, or 
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c) conditioned upon architecture or software technology, 
based, for example, on the use of special hardware and 
system software for certain functions. 

The administration of these additional functions may be 
performed in each case centrally, from a certain node. 

An exemplary embodiment of the prcocnt invention io CKplaincd 
below, — in the light of a drav^ing. 

BRIEF DESCRIPTION OF THE DRAWING 

Figure 1 ochcmQtically ohowo shows a schematic of the technical 
design of the system. 

DETAILED DESCRIPTION 

The system is a part of a mobile communications network 10, 
which prcmito permits a multiplicity of subscriber terminal 
units 13 communications with other public networks, such as 
the Internet internet 11. Furthermore, combined units 14, such 
as i^GT — PejV7 -a personal computer (PC), personal digital 
assistant (PDA) , Smartphone, etc^, that are connected to 
cellular mobile telephony terminal unit 13, may be provided, 
which make possible a comfortable, mobile Internet internet 
use. 

Security and filter device 1 is situated within mobile 
communications network 10, prefcrQblv e.g. , within an 
appropriate network node, such as an exchange MSG, and-r 
according to the preocnt invention, it may be made up of 
the f ollov^ring functional parts described below . 

General filter component 2: 

This component has a variable filtering function specifiable 
by the subscriber/network operator, and it operator. It 
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analyzes in real time the data flow 12 exchanged between 
terminal unit 13 of the subscriber and Internet internet 11. 
Subscriber traffic 12 in both directions goes via this filter 
2 and is analyzed there. 

Authentication component 3: 

In order to use security and filtering device 1, the 
subscriber has to authenticate himself vis-a-vis the system. 
Thorcbv Thus, it is ensured that no unauthorized access can 
take place to, for inptancc, example, the personal settings of 
the subscriber. In the oimploot caoc^ For example, the 
authentication may occur via call number MSISDN of the 
subscriber. The subscriber is protected more securely eft4 
better by the use of an additional PIN or a password. If 
necessary, a cryptographic authentication method may be used, 
e.g.^ certificates of the subscriber. 

Administrative component 4: 

This component forms the interface between the system and the 
subscriber. Here the subscriber may administer hjre the 
subscriber ' s personal settings. This can be done directly via 
the cellular mobile telephony system, the Internet or internet 
and/or fixed network-based customer interfaces of the network 
operator. 

Database 5: 

Database 5 describes which data are to be filtered out by 
filtering component 2 or are to be processed. This database 5 
may advantagoouoly be split up into four databanks. First 
databank 6 includco m av include the individual filter and 
settings per subscriber. Second databank 7 includoo m av include 
the filter and settings per mobile phone type. 

Third databank 8 includco m av include the network operator- 
specific settings and filter, and fourth databank 9 
includco m av include the general settings and filter. 
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What io Claimed io; 
WHAT IS CLAIMED IS: 
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Abotract ABSTRACT OF THE DISCLOSURE 

The invention rQlatGO to q A method and device for providing is 
provided for making available security functions during the 
transmission of data from and to a subscriber terminal of a 
mobile communications network. A real-time analysis of the 
data flow from and to the subscriber terminal is carried out 
in a device of a network node of the mobile communications 
network during which data with contents defined beforehand by 
the subscriber or by a network operator / provider are 
identified and processed. This results in protecting the 
terminal and subscriber's devices connected thereto from 
external attacks in the boot way poooiblc . 
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